[1272] in WWW Security List Archive
Password protected Web pages (was SECURITY ALERT)
daemon@ATHENA.MIT.EDU (John Franks)
Tue Dec 19 12:35:35 1995
From: John Franks <john@math.nwu.edu>
To: lstein@genome.wi.mit.edu (Lincoln D. Stein)
Date: Tue, 19 Dec 1995 08:31:06 -0600 (CST)
Cc: fred@nasirc.hq.nasa.gov, www-security@ns2.rutgers.edu,
jcarroll@redman.canada.dg.com, tara@linkage.cpmc.columbia.edu
In-Reply-To: <v0214036facfb9c673da7@[18.157.0.189]> from "Lincoln D. Stein" at Dec 18, 95 05:35:14 pm
Errors-To: owner-www-security@ns2.rutgers.edu
According to Lincoln D. Stein:
>
> Dave McComb is right. The password isn't being cached, just the protected
> document. I'm not sure I like this much better. I don't want the next
> person who uses my personal computer to have access to all the protected
> documents I recently viewed.
>
It is worth noting that this bug exists in browsers other than Netscape.
I have observed it also in NCSA Mosaic 2.0.0beta5 and 2.0.1 (both for
the Mac). We will have badly behaved clients in use for some time
and should not feel this problem is cured when the Netscape betas
expire.
Lincoln, what I would suggest for the security FAQ is that server
maintainers be advised to make all password protected documents
uncachable. Of course, there is no way for a server to force
a client not to cache a document, but most clients don't cache a
document when they are instructed not to.
The way to get one's server to indicate a file should not be cached
(more precisely, if I recall, to send a "Pragma: no-cache" header and
no "Last-Modified" header) varies from server to server. With the WN
server it simply requires a "Default-Attributes=dynamic" directive
for the password protected directory.
If you want to test that this remedies the problem with the Netscape
browser (and presumably others) try the URL
http://hopf.math.nwu.edu/docs/examples/index.html
There is a link on that page to a password protected file. The
link is obvious. You can access the file with username "santa"
and password "red-nosed". Since the file is marked not to be cached
the problem does not occur.
John Franks
